Further analysis of password authentication schemes based on authentication tests

摘要

In this paper, we present further analysis of Yang-Shieh's password authentication schemes. At first, we formally analyze Yang-Shieh's two password authentication schemes on the basis of authentication tests to disclose the insecurity of the two schemes, and then give two kind of examples, one is our attack to the nonce-based scheme and the other is Chan-Cheng's attack (Comput Secur 21 (2002) 74) and Fan-Li-Zhu's attack (Comput Secur 21 (2002) 665) to the timestamp-based scheme. Secondly, we propose an amendment of the timestamp-based scheme to withstand the attacks of Chan-Cheng and Fan-Li-Zhu, and propose our improved nonce-based scheme. Finally, we formally analyze our two improved schemes with the authentication tests, and prove they are secure in password authentication. Our improved schemes preserve the merits of Yang Shieh's schemes, and the improved timestamp-based scheme can withstand the attacks of Chan-Cheng and Fan-Li-Zhu, and the improved nonce-based scheme is able to prevent malicious replay attacks in the network without synchronized clock or with long transmission delay. (C) 2004 Elsevier Ltd. All rights reserved.